Major credit card companies have made it mandatory for merchants and payment processors to comply with stringent network security rules that went into effect in mid-2005. But getting buy-in from the millions of companies that handle credit card information remains elusive.

American Express, Visa International, MasterCard Worldwide and Discover Financial Services are among the backers of the rules known as the Payment Card Industry Data Security Standard (PCI DSS).

“All the merchants are required to comply with the PCI data-security standards or face fines," says Rob Tourt, vice president of network services at Discover. Yet adoption of PCI DSS is not widespread, Tourt admits, though he wouldn’t disclose exact figures.

To improve compliance, Discover is getting more aggressive and working individually with certain merchants to make sure they get through the 12-point security plan, which covers firewalls, vulnerability assessment and encryption, among other requirements.

Discover isn’t alone in striving to turn PCI DSS into more than a paper tiger. Visa, which works more directly with acquiring banks than with merchants, also is trying to shore up low merchant adoption numbers.

Visa’s new approach calls for levying punitive fines on banks that fail to get their merchant customers to comply with the PCI standard — while promising multimillion-dollar incentive packages for banks that prod their largest customers into complying.

The broader goal is to stem the hemorrhage of sensitive customer card data lost in recent security incidents, including the data breach acknowledged earlier this month by TJX Companies, which operates retail chains including T.J. Maxx and Marshalls.

The $16 billion Framingham, Mass., retailer won’t divulge whether it complies with PCI DSS, despite the fact that Gary Crittenden, the executive vice president and CFO at American Express, sits on the TJX board.

American Express is one of the five payment-card companies that last September founded the PCI Security Standards Council, which issues the PCI security standard. The other four founding members are: Discover, JCB, MasterCard and Visa.

PCI DSS too tough?

The latest version of the standard, PCI DSS v. 1.1, includes about 200 detailed network and physical security requirements the council’s founders say they want to see become the norm for protecting payment-card information.